This is a complete list of all NRL publications on Onion Routing along with on-line copies where possible:
Onion Routing is an infrastructure for private communication over a public network. It provides anonymous connections that are strongly resistant to both eavesdropping and traffic analysis. Thus it hides not only the data being sent, but who is talking to whom. Onion Routing's anonymous connections are bidirectional and near real-time, and can be used anywhere a socket connection can be used. Proxy aware applications, such as web browsing and e-mail, require no modification to use Onion Routing, and do so through a series of proxies. Other applications, such as remote login, can also use the system without modification. Access to an onion routing network can be configured in a variety of ways depending on the needs, policies, and facilities of those connecting. This paper describes some of these access configurations and also provides a basic overview of Onion Routing and comparisons with related work.
This paper presents a security analysis of Onion Routing, an application independent infrastructure for traffic-analysis-resistant and anonymous Internet connections. It also includes an overview of the current system design, definitions of security goals and new adversary models.
The primary goal of Onion Routing is to provide private, traffic analysis resistant communications over a public network at reasonable cost and efficiency. Communications are intended to be private in the sense that both the public network itself and any eavesdropper on the network cannot determine the contents of messages flowing from Alice and Bob, and she cannot tell that Alice and Bob are communicating with each other. A secondary goal is to provide anonymity to the sender and receiver, so that Alice may receive messages but be unable to identify the sender, even though she may be able to reply those messages. For example, open source intelligence gathering via the web and pseudonym based email communications that hide the true identities of both sender and receiver.
Preserving privacy means not only hiding the content of messages, but also hiding who is talking to whom (traffic analysis). Much like a physical envelope, the simple application of cryptography within a packet-switched network hides the messages being sent, but can reveal who is talking to whom, and how often. Onion Routing is a general purpose infrastructure for private communication over a public network. It provides anonymous connections that are strongly resistant to both eavesdropping and traffic analysis. The connections are bidirectional, near real-time, and can be used for both connection-based and connectionless traffic. Onion Routing interfaces with off the shelf software and systems through specialized proxies, making it easy to integrate into existing systems. Prototypes have been running since July 1997. As of this article's publication, the prototype network is processing more than 1 million Web connections per month from more than six thousand IP addresses in twenty countries and in all six main top level domains.
Onion Routing operates by dynamically building anonymous connections within a network of real-time Chaum Mixes. A Mix is a store and forward device that accepts a number of fixed-length messages from numerous sources, performs cryptographic transformations on the messages, and then forwards the messages to the next destination in a random order. A single Mix makes tracking of a particular message either by specific bit-pattern, size, or ordering with respect to other messages difficult. By routing through numerous Mixes in the network, determining who is talking to whom becomes even more difficult. Onion Routing's network of core onion-routers (Mixes) is distributed, fault-tolerant, and under the control of multiple administrative domains, so no single onion-router can bring down the network or compromise a user's privacy, and cooperation between compromised onion-routers is thereby confounded.
Onion Routing is an infrastructure for private communication over a public network. It provides anonymous connections that are strongly resistant to both eavesdropping and traffic analysis. Onion routing's anonymous connections are bidirectional and near real-time, and can be used anywhere a socket connection can be used. (In some contexts not even socket connections are needed to use onion routing.) Any identifying information must be in the data stream carried over an anonymous connection. An onion is a data structure that is treated as the destination address by onion routers; thus, it is used to establish an anonymous connection. Onions themselves appear differently to each onion router as well as to network observers. The same goes for data carried over the connections they establish. Proxy aware applications, such as web browsing and email, require no modification to use onion routing, and do so through a series of proxies. A prototype of onion routing is running in our lab. This paper describes anonymous connections and their implementation using onion routing. This paper also describes several application proxies for onion routing, as well as configurations of onion routing networks.
This paper describes a communications primitive, anonymous connections, that support bidirectional and near real-time channels that are resistant to both eavesdropping and traffic analysis. The connections are made anonymous, although communication need not be. These anonymous connections are versatile and support private use of many different Internet services. For our purposes, privacy means maintaining the confidentiality of both the data stream and the identity of communicating parties. These are both kept confidential from network elements as well as external observers. Private Web browsing is achieved by unmodified Web browsers using anonymous connections by means of HTTP proxies. Private Web browsing may be made anonymous too by a specialized proxy that removes identifying information from the HTTP data stream. This article specifies anonymous connections, describes our implementation, and discusses its application to Web browsing via HTTP proxies.
The World Wide Web is rapidly becoming an important tool for modern day communication and commerce. But electronic messages sent over the Internet can be easily snooped and tracked revealing who is talking to whom and what they are talking about. Is privacy important and how can it be guaranteed? This paper describes how a freely available system, onion routing, can be used to provide privacy for a wide variety of Internet services, including Virtual Private Networks, Web browsing, e-mail, remote login, and electronic cash.
This paper describes security protocols that use anonymous channels, which do not reveal their endpoints, as primitive, much in the way that key distribution protocols take encryption as primitive. This abstraction allows us to focus on high level security goals of these protocols much as abstracting away from encryption clarifies and emphasizes high level security goals of key distribution protocols. The protocols described are for mobile applications that protect the location information of the participating principals.
Onion Routing provides anonymous connections that are strongly resistant to both eavesdropping and traffic analysis. Unmodified Internet applications can use these anonymous connections by means of proxies. The proxies may also make communication anonymous by removing identification from the data stream. Onion Routing has been implemented on Sun Solaris 2.4 with proxies for Web browsing, remote logins, and e-mail. This paper's contribution is a detailed specification of the implemented onion routing system, a vulnerability analysis base on this specification, and performance results.
Determining who is talking to whom (called traffic analysis) is an important source of intelligence information. As military grade communication devices increasingly depend on the public communications infrastructure, it is important to use that infrastructure in ways that are resistant to traffic analysis. It may also be useful to communicate anonymously, for example when gathering intelligence from public databases. We describe bidirectional and real-time Anonymous Connections that are strongly resistant to eavesdropping and traffic analysis attacks by both insiders and outsiders. If necessary, communication is made anonymous by removing identifying information from the data stream. These anonymous connections have been prototyped in a system that protects the privacy of communication over the Internet and, in particular, the World Wide Web. Anonymous connections can protect both identity and location in many switched communication systems, such as wired, cellular, or satellite phone networks.
Using traffic analysis, it is possible to infer who is talking to whom over a public network. This paper describes a flexible communication infrastructure, Onion Routing, which is resistant to traffic analysis. Onion Routing lives just beneath the application layer, and is designed to interface with a wide variety of unmodified Internet services by means of proxies. Onion Routing has been implemented on Sun Solaris 2.4; in addition, proxies for World Wide Web browsing (HTTP), remote logins (RLOGIN), e-mail (SMTP), and file transfers (FTP) have been implemented.
Onion Routing provides application independent, real-time, and bi-directional anonymous connections that are resistant to both eavesdropping and traffic analysis. Applications making use of Onion Routing's anonymous connections may (and usually should) identify their users over the anonymous connection. User anonymity may be layered on top of the anonymous connections by removing identifying information from the data stream. Our goal here is anonymous connections, not anonymous communication. The use of a packet switched public network should not automatically reveal who is talking to whom. This is the traffic analysis that Onion Routing complicates.
This paper describes an architecture, Onion Routing, that limits a network's vulnerability to traffic analysis. The architecture provides anonymous socket connections by means of proxy servers. It provides real-time, bi-directional, anonymous communication for any protocol that can be adapted to use a proxy service. Specifically, the architecture provides for bi-directional communication even though no-one but the initiator's proxy server knows anything but previous and next hops in the communication chain. This implies that neither the respondent nor his proxy server nor any external observer need know the identity of the initiator or his proxy server. A prototype of Onion Routing has been implemented. This prototype works with HTTP (World Wide Web) proxies. In addition, an analogous proxy for TELNET has been implemented. Proxies for FTP and SMTP are under development.
All Department of Defense telecommunications and
automated information systems and related equipment are for the
communication, transmission, processing, and storage of
U.S. Government information only. The systems and equipment are
subject to authorized monitoring to ensure proper functioning, to
protect against unauthorized use, and to verify the presence and
performance of applicable security features. Such monitoring may
result in the acquisition, recording, and analysis of all data being
communicated, transmitted, processed, or stored in this system by a
user. If monitoring reveals possible evidence of criminal activity,
such evidence may be provided to law enforcement personnel. Anyone
using this system expressly consents to such